identity theft & data security concerns are you meeting your obligations to protect customer...
DESCRIPTION
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information?. Finance & Administration Roundtable February 28, 2007 Claudia Volk, Principal CJVolk Associates & Carol Van Cleef, Partner Bryan Cave, PC. Agenda. Background : Current Events - PowerPoint PPT PresentationTRANSCRIPT
Identity Theft & Data Security Identity Theft & Data Security ConcernsConcerns
Are You Meeting Your Obligations to Protect Customer Are You Meeting Your Obligations to Protect Customer Information?Information?
Finance & Administration Finance & Administration RoundtableRoundtable
February 28, 2007February 28, 2007
Claudia Volk, Principal Claudia Volk, Principal CJVolk AssociatesCJVolk Associates
&&Carol Van Cleef, PartnerCarol Van Cleef, Partner
Bryan Cave, PCBryan Cave, PC
AgendaAgenda Background : Current EventsBackground : Current Events
Disposal Rule of the Fair and Disposal Rule of the Fair and Accurate Credit Transactions ActAccurate Credit Transactions Act
Payment Card Industry Data Payment Card Industry Data Security StandardSecurity Standard
Scope of the ProblemScope of the Problem 10 million people each year are 10 million people each year are
victims of identity theftvictims of identity theft Mean fraud loss per victim in 2005 Mean fraud loss per victim in 2005
was $6,383.was $6,383. Victims spend, on average, 40 Victims spend, on average, 40
hours and $422 to resolve issues hours and $422 to resolve issues related to identity theft. related to identity theft.
Losses as a result of identity theft Losses as a result of identity theft ranged from $53.2 billion in 2003 ranged from $53.2 billion in 2003 to $56.6 billion in 2005to $56.6 billion in 2005
Javelin Strategy & Research
PervasivenessPervasiveness Changing methods to pentrate data Changing methods to pentrate data
securitysecurity The threat withinThe threat within MacAffee AnalysisMacAffee Analysis
Planted employees to engage in identity Planted employees to engage in identity theft and money launderingtheft and money laundering
Avoid assumptions about the trusted Avoid assumptions about the trusted employeeemployee
The Disposal RuleThe Disposal Rule Protect the privacy of the consumer’s Protect the privacy of the consumer’s
information information Reduce risk and fraud of identity theftReduce risk and fraud of identity theft Applies to any business or individual Applies to any business or individual
using consumer reports for business using consumer reports for business purposespurposes
Federal Trade CommissionFederal Trade Commission June 1, 2005June 1, 2005 State Laws may applyState Laws may apply
The Disposal RuleThe Disposal Rule The FACT Act requires that:The FACT Act requires that:
Any person that maintains or otherwise possesses Any person that maintains or otherwise possesses consumer information, or any compilation of consumer consumer information, or any compilation of consumer information, derived from consumer reports for a information, derived from consumer reports for a business purpose {, } properly dispose of any such business purpose {, } properly dispose of any such information or compilationinformation or compilation
The Federal Trade Commission RuleThe Federal Trade Commission Rule Any person who maintains or otherwise possesses Any person who maintains or otherwise possesses
consumer information for a business purpose must consumer information for a business purpose must properly dispose of such information by taking properly dispose of such information by taking reasonable measures to protect against unauthorized reasonable measures to protect against unauthorized access to, or use of information in connection with its access to, or use of information in connection with its disposal. disposal.
The Disposal RuleThe Disposal Rule FlexibleFlexible Reasonable measures based on Reasonable measures based on
Sensitivity of dataSensitivity of data Costs and benefits of different methodsCosts and benefits of different methods Changes in technologyChanges in technology
Consumer reports Consumer reports andand any personal and any personal and financial informationfinancial information
No de minimus exceptionNo de minimus exception Actual, statutory and punitive damages, plus Actual, statutory and punitive damages, plus
attorney’s fees and civil money penaltiesattorney’s fees and civil money penalties
Key TermsKey Terms Consumer InformationConsumer Information
Any record about an individualAny record about an individual Consumer report or derived from a consumer reportConsumer report or derived from a consumer report
Information obtained from a consumer reporting companyInformation obtained from a consumer reporting company Used or expected to be used in establishing eligibility for Used or expected to be used in establishing eligibility for
credit, insurance, and employmentcredit, insurance, and employment Paper, electronic or other formPaper, electronic or other form Compilation of such recordsCompilation of such records Not included: aggregate information or blind data Not included: aggregate information or blind data
Key TermsKey Terms Disposal / DisposeDisposal / Dispose
Discarding or abandonment of consumer Discarding or abandonment of consumer informationinformation
Sale, donation or transfer of any Sale, donation or transfer of any medium on which consumer information medium on which consumer information is storedis stored
Reasonable MeasuresReasonable Measures Non exclusive examplesNon exclusive examples
Burn, pulverize or shred papers – cannot practicably be Burn, pulverize or shred papers – cannot practicably be read or reconstructedread or reconstructed
Destroy or erase electronic media – cannot practicably be Destroy or erase electronic media – cannot practicably be read or reconstructedread or reconstructed
Contract with a third party after appropriate due diligenceContract with a third party after appropriate due diligence Review independent audit of operations or compliance with Review independent audit of operations or compliance with
disposal ruledisposal rule Obtain several referencesObtain several references Require certification by recognized trade associationsRequire certification by recognized trade associations Review and evaluate information security polices or Review and evaluate information security polices or
proceduresprocedures Take other appropriate measures to determine competency Take other appropriate measures to determine competency
and integrityand integrity
Action ItemsAction Items Catalog your informationCatalog your information Review where and how it is storedReview where and how it is stored Determine who can access it and howDetermine who can access it and how Develop appropriate procedures and Develop appropriate procedures and
control to comply with the Disposal Rulecontrol to comply with the Disposal Rule Designate a responsible personDesignate a responsible person Train employeesTrain employees Audit Audit
Some Suggested Policies and Some Suggested Policies and ProceduresProcedures
Conduct personal background checksConduct personal background checks Permanent employeesPermanent employees Temporary hiresTemporary hires
Sensitive data limitsSensitive data limits Access Access UseUse DistributionDistribution
Secure records – physical and onlineSecure records – physical and online Collect and retain only essential informationCollect and retain only essential information Make accessible disposal toolsMake accessible disposal tools
General Data Safeguarding General Data Safeguarding and Security Breach Tipsand Security Breach Tips
Integrate into information Integrate into information safeguarding programsafeguarding program
Ensure information safeguarding Ensure information safeguarding program reflects other changes in lawprogram reflects other changes in law
Prepare ready response plan in the Prepare ready response plan in the event of data security breachevent of data security breach
Understand requirements of data Understand requirements of data security breach lawssecurity breach laws
Data Security Breach LawsData Security Breach Laws What businesses are covered?What businesses are covered? What information is covered?What information is covered? What triggers notification?What triggers notification? Who must be notified?Who must be notified? Who is responsible for the notice?Who is responsible for the notice? When must the notices be given? When must the notices be given?
Data Breach Notification Best Data Breach Notification Best PracticesPractices
Encrypt information Encrypt information Prepare consumer notification planPrepare consumer notification plan Notify general counsel or outside counsel Notify general counsel or outside counsel
immediatelyimmediately Conduct an immediate internal investigationConduct an immediate internal investigation Contact local law enforcement contactContact local law enforcement contact Provide consumer and other notifications if Provide consumer and other notifications if
necessary necessary
Industry ResponseIndustry ResponseCardholder Information Security Program Cardholder Information Security Program
(CISP)(CISP)
American ExpressAmerican Express®®, Diners Club, Diners Club®®, Discover, Discover®®, , JCBJCB®®, MasterCard, MasterCard®® and Visa and Visa®® USA USA
Safekeeping of account information Safekeeping of account information requirements:requirements: Storage of Cardholder InformationStorage of Cardholder Information Destruction of Cardholder InformationDestruction of Cardholder Information Use of Third PartiesUse of Third Parties Reporting a Security IncidentReporting a Security Incident
Payment Card Industry (PCI) Payment Card Industry (PCI) Data Security StandardData Security Standard
Build and Maintain a Secure NetworkBuild and Maintain a Secure Network Protect Cardholder DataProtect Cardholder Data Maintain a Vulnerability Management Maintain a Vulnerability Management
ProgramProgram Implement Strong Access Control Implement Strong Access Control
MeasuresMeasures Regularly Monitor & Test NetworksRegularly Monitor & Test Networks Maintain an Information Security Maintain an Information Security
PolicyPolicy
VISA’s Cardholder Information VISA’s Cardholder Information Security Program (CISP)Security Program (CISP)
Classification defines merchant audit requirementsClassification defines merchant audit requirements Level 1 merchants:Level 1 merchants:
Process > 6 million transactions annuallyProcess > 6 million transactions annually Have suffered a breachHave suffered a breach Are identified as Level 1 by another card issuerAre identified as Level 1 by another card issuer Risk is determined to warrant level 1 requirementsRisk is determined to warrant level 1 requirements
Level 2 process between 150,000 and 6 million e-Level 2 process between 150,000 and 6 million e-commerce transactions annuallycommerce transactions annually
Level 3 process 20,000-150,000 e-commerce Level 3 process 20,000-150,000 e-commerce transactions annuallytransactions annually
All other merchants are considered Level 4All other merchants are considered Level 4
CISP Compliance ValidationCISP Compliance ValidationOn Site On Site Security Security
AuditAudit
Self-Self-Assessment Assessment QuestionnairQuestionnair
ee
Network Network ScanScan
MerchantMerchantss
Required Required annually for annually for
Level 1Level 1
Required annually Required annually for Level 2 & 3for Level 2 & 3
Recommended for Recommended for Level 4 Level 4
Required Required Quarterly for Quarterly for Level 1 & 2Level 1 & 2
RecommendRecommended for Level ed for Level
44
Service Service ProvidersProviders
Required Required annually for annually for Level 1 & 2Level 1 & 2
Required annually Required annually for Level 3for Level 3
Required Required QuarterlyQuarterly
What YOU can doWhat YOU can do ““Know thy data”Know thy data”
What you have collectedWhat you have collected Where it isWhere it is Who has access to itWho has access to it
Stay informed about Stay informed about Related laws and regulationsRelated laws and regulations Current breach incidents Current breach incidents Best practicesBest practices
http://usa.visa.com/business/accepting_visa/ops_risk_management/http://usa.visa.com/business/accepting_visa/ops_risk_management/ http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.htmlhtml
Questions and Questions and Comments?Comments?
?? ????
Contact InformationContact InformationBryan Cave LLPBryan Cave LLP CJVolk Associates, CJVolk Associates,
Inc.Inc.
2776 S. Arlington Mill Rd, Ste. 2776 S. Arlington Mill Rd, Ste. 530530
Arlington, VA 22206Arlington, VA 22206
www.cjvolk.comwww.cjvolk.com
Claudia Volk, PrincipalClaudia Volk, Principal Phone 703-405-4404703-405-4404Fax 703-940-2510703-940-2510
700 Thirteenth Street, NW700 Thirteenth Street, NWWashington, DC 20005Washington, DC 20005
www.bryancave.comwww.bryancave.com
Carol Van Cleef, PartnerCarol Van Cleef, Partner Phone 202-508-6112202-508-6112Fax 202-508-6200202-508-6200